Inputs
The following input variables are supported:
body_size_limit_mb
Description: The maximum body size in MB
Type: number
Default: null
cdn_mode_enabled
Description: Whether a CDN should be used in front of the ingresses
Type: bool
Default: false
cors_allow_credentials
Description: Whether to set the ‘Access-Control-Allow-Credentials’ header to ‘true’
Type: bool
Default: true
cors_allowed_headers
Description: Extra headers to allow on CORS requests
Type: list(string)
Default:
[ "DNT", "Keep-Alive", "User-Agent", "X-Requested-With", "If-Modified-Since", "Cache-Control", "Content-Disposition", "Content-Type", "Range", "Authorization", "Cookies", "Referrer", "Accept", "sec-ch-ua", "sec-ch-ua-mobile", "sec-ch-ua-platform", "X-Suggested-File-Name", "Cookie"]cors_allowed_methods
Description: The methods to allow on CORS requests
Type: list(string)
Default:
[ "GET", "HEAD", "POST", "OPTIONS", "PUT", "PATCH", "DELETE"]cors_allowed_origins_any
Description: Whether to allow any origin on CORS requests
Type: bool
Default: false
cors_allowed_origins_self
Description: Whether the ingress domains should be allowed origins on CORS requests
Type: bool
Default: true
cors_allowed_origins_sibling_domains
Description: Whether sibling domains of the ingress domains should be allowed origins on CORS requests
Type: bool
Default: true
cors_allowed_origins_subdomains
Description: Whether subdomains of the ingress domains should be allowed origins on CORS requests
Type: bool
Default: true
cors_enabled
Description: Whether to enable CORS response handling in NGINX
Type: bool
Default: false
cors_exposed_headers
Description: The extra headers to expose in CORS responses
Type: list(string)
Default:
[ "Content-Encoding", "Date", "Location", "X-Frame-Options", "X-Content-Type-Options", "Permissions-Policy", "X-XSS-Protection", "Vary", "Cross-Origin-Response-Policy", "Cross-Origin-Opener-Policy", "Cross-Origin-Embedder-Policy", "Content-Security-Policy", "Referrer-Policy"]cors_extra_allowed_origins
Description: Extra origins allowed on CORS requests
Type: list(string)
Default: []
cors_max_age_seconds
Description: Controls how long the CORS preflight requests are allowed to be cached
Type: number
Default: 86400
cors_native_handling_enabled
Description: Whether to use the native NGINX-ingress annotations to handle cors rather than the Panfactum logic
Type: bool
Default: false
cross_origin_embedder_policy
Description: The value for the Cross-Origin-Embedder-Policy header
Type: string
Default: "require-corp"
cross_origin_isolation_enabled
Description: Whether to enable the Cross-Origin-Opener-Policy header
Type: bool
Default: false
cross_origin_opener_policy
Description: The value for the Cross-Origin-Opener-Policy header
Type: string
Default: "same-origin"
cross_origin_resource_policy
Description: The value for the Cross-Origin-Resource-Policy header
Type: string
Default: "same-site"
csp_base_uri
Description: The base-uri content security policy
Type: string
Default: null
csp_connect_src
Description: The connect-src content security policy
Type: string
Default: "'self' ws:"
csp_default_src
Description: The default-src content security policy
Type: string
Default: "'self'"
csp_enabled
Description: Whether the Content-Security-Policy header should be added to responses
Type: bool
Default: false
csp_fenced_frame_src
Description: The fenced-frame-src content security policy
Type: string
Default: null
csp_font_src
Description: The font-src content security policy
Type: string
Default: "'self' https: data:"
csp_form_action
Description: The form-action content security policy
Type: string
Default: null
csp_frame_ancestors
Description: The frame-ancestors content security policy
Type: string
Default: null
csp_frame_src
Description: The frame-src content security policy
Type: string
Default: null
csp_img_src
Description: The img-src content security policy
Type: string
Default: "'self' data:"
csp_manifest_src
Description: The manifest-src content security policy
Type: string
Default: null
csp_media_src
Description: The media-src content security policy
Type: string
Default: null
csp_non_html
Description: The full content security policy for non-HTML responses
Type: string
Default: "default-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests"
csp_object_src
Description: The object-src content security policy
Type: string
Default: "'none'"
csp_override
Description: Whether to override the Content-Security-Response header if set from the upstream server
Type: bool
Default: false
csp_report_to
Description: The report-to content security policy
Type: string
Default: null
csp_report_uri
Description: The report-uri content security policy
Type: string
Default: null
csp_sandbox
Description: The sandbox content security policy
Type: string
Default: null
csp_script_src
Description: The script-src content security policy
Type: string
Default: null
csp_script_src_elem
Description: The script-src-elem content security policy
Type: string
Default: null
csp_style_src
Description: The style-src content security policy
Type: string
Default: "'self'"
csp_style_src_attr
Description: The style-src-attr content security policy
Type: string
Default: null
csp_style_src_elem
Description: The style-src-elem content security policy
Type: string
Default: null
csp_worker_src
Description: The worker-src content security policy
Type: string
Default: null
domains
Description: Which domains the generated ingresses will listen on
Type: list(string)
Default: n/a
extra_annotations
Description: Extra annotations to add to all the ingress objects
Type: map(string)
Default: {}
extra_configuration_snippet
Description: An extra NGINX configuration snippet to add to the route handlers
Type: string
Default: ""
extra_response_headers
Description: A key-value mapping of extra headers to add to every response
Type: map(string)
Default: {}
generate_cert_enabled
Description: Whether to generate a new cert for these ingresses. In most cases this is unnecessary as the default cert for cluster provides sufficient coverage. However, this may be necessary for nested subdomains.
Type: bool
Default: false
idle_timeout_seconds
Description: The idle timeout in seconds
Type: number
Default: null
ingress_configs
Description: A list of ingress names to the configuration to use for the ingress
Type:
list(object({
# This ingress matches all incoming requests on the indicated domains that have the indicated path prefixes path_prefix = optional(string, "/") remove_prefix = optional(bool, false) # True iff the the path_prefix should be stripped before forwarding on to upstream service
# The backing Kubernetes service service = string service_port = number
# Rules for mutating the request path before it is forwarded to the upstream service rewrite_rules = optional(list(object({ match = string rewrite = string })), [])
# TLS Config tls_secret_name = optional(string) # The name of the secret containing the cert-manager provided public TLS certificate. Will override any certs generated by this module.
# Misc extra_annotations = optional(map(string), {}) # Extra annotations that will only apply to this ingress_config
# CDN Configuration cdn = optional(object({ extra_origin_headers = optional(map(string), {}) # Headers sent from the CDN to the origin
# The default behavior of the CDN before routing requests to this ingress default_cache_behavior = optional(object({ caching_enabled = optional(bool, true) # Whether the CDN should cache responses from the origin (overrides all other caching settings) allowed_methods = optional(list(string), ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]) # What HTTP methods are allowed cached_methods = optional(list(string), ["GET", "HEAD"]) # What HTTP methods will be cached min_ttl = optional(number, 0) # Minimum cache time default_ttl = optional(number, 86400) # Default cache time max_ttl = optional(number, 31536000) # Maximum cache time cookies_in_cache_key = optional(list(string), ["*"]) # Which cookies will be included in the cache key (Providing "*" means ALL cookies) headers_in_cache_key = optional(list(string), [ # Which headers will be included in the cache key "Authorization", "Origin", "x-http-method-override", "x-http-method", "x-method-override", "x-forwarded-host", "x-host", "x-original-url", "x-rewrite-url", "forwarded" ]) query_strings_in_cache_key = optional(list(string), ["*"]) # Which query strings will be included in the cache key (Providing "*" means ALL query strings) cookies_not_forwarded = optional(list(string), []) # Which cookies will NOT be forwarded to the ingress from the CDN headers_not_forwarded = optional(list(string), []) # Which headers will NOT be forwarded to the ingress from CDN query_strings_not_forwarded = optional(list(string), []) # Which query strings will NOT be forwarded to the ingress from the CDN compression_enabled = optional(bool, true) # Whether the CDN performs compression on your assets viewer_protocol_policy = optional(string, "redirect-to-https") # What should happen based on the client protocol (HTTP vs HTTPS). One of: allow-all, https-only, redirect-to-https }))
# Similar to default_cache_behavior but allows you to specific specific rules for certain path patterns # The keys for this map are the path patterns (e.g., "*.jpg") # Path patterns will automatically be prefixed with the path_prefix value, so it can be omitted path_match_behavior = optional(map(object({ caching_enabled = optional(bool, true) # Whether the CDN should cache responses from the origin (overrides all other caching settings) allowed_methods = optional(list(string), ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]) cached_methods = optional(list(string), ["GET", "HEAD"]) min_ttl = optional(number, 0) default_ttl = optional(number, 86400) max_ttl = optional(number, 31536000) cookies_in_cache_key = optional(list(string), ["*"]) headers_in_cache_key = optional(list(string), [ "Authorization", "Origin", "x-http-method-override", "x-http-method", "x-method-override", "x-forwarded-host", "x-host", "x-original-url", "x-rewrite-url", "forwarded" ]) query_strings_in_cache_key = optional(list(string), ["*"]) cookies_not_forwarded = optional(list(string), []) headers_not_forwarded = optional(list(string), []) query_strings_not_forwarded = optional(list(string), []) compression_enabled = optional(bool, true) viewer_protocol_policy = optional(string, "redirect-to-https") })), {}) })) }))Default: n/a
name
Description: The name of the ingresses that will get created
Type: string
Default: n/a
namespace
Description: The namespace the ingress resource should be created
Type: string
Default: n/a
permissions_policy_accelerometer
Description: The permissions policy for the accelerometer directive
Type: string
Default: "()"
permissions_policy_ambient_light_sensor
Description: The permissions policy for the ambient-light-sensor directive
Type: string
Default: "()"
permissions_policy_autoplay
Description: The permissions policy for the autoplay directive
Type: string
Default: "()"
permissions_policy_battery
Description: The permissions policy for the battery directive
Type: string
Default: "()"
permissions_policy_bluetooth
Description: The permissions policy for the bluetooth directive
Type: string
Default: "()"
permissions_policy_camera
Description: The permissions policy for the camera directive
Type: string
Default: "()"
permissions_policy_display_capture
Description: The permissions policy for the display-capture directive
Type: string
Default: "()"
permissions_policy_document_domain
Description: The permissions policy for the document-domain directive
Type: string
Default: "(self)"
permissions_policy_enabled
Description: Whether to enable the Permissions-Policy header in HTML responses.
Type: bool
Default: false
permissions_policy_encrypted_media
Description: The permissions policy for the encrypted-media directive
Type: string
Default: "()"
permissions_policy_execution_while_not_rendered
Description: The permissions policy for the execution-while-not-rendered directive
Type: string
Default: "(self)"
permissions_policy_execution_while_out_of_viewport
Description: The permissions policy for the execution-while-out-of-viewport directive
Type: string
Default: "(self)"
permissions_policy_fullscreen
Description: The permissions policy for the fullscreen directive
Type: string
Default: "()"
permissions_policy_gamepad
Description: The permissions policy for the gamepad directive
Type: string
Default: "(self)"
permissions_policy_geolocation
Description: The permissions policy for the geolocation directive
Type: string
Default: "()"
permissions_policy_gyroscope
Description: The permissions policy for the gyroscope directive
Type: string
Default: "()"
permissions_policy_hid
Description: The permissions policy for the hid directive
Type: string
Default: "(self)"
permissions_policy_identity_credentials_get
Description: The permissions policy for the identity-credentials-get directive
Type: string
Default: "()"
permissions_policy_idle_detection
Description: The permissions policy for the idle-detection directive
Type: string
Default: "()"
permissions_policy_local_fonts
Description: The permissions policy for the local-fonts directive
Type: string
Default: "(self)"
permissions_policy_magnetometer
Description: The permissions policy for the magnetometer directive
Type: string
Default: "()"
permissions_policy_microphone
Description: The permissions policy for the microphone directive
Type: string
Default: "()"
permissions_policy_midi
Description: The permissions policy for the midi directive
Type: string
Default: "()"
permissions_policy_otp_credentials
Description: The permissions policy for the otp-credentials directive
Type: string
Default: "()"
permissions_policy_override
Description: Whether to override the Permissions-Policy header if set from the upstream server
Type: bool
Default: false
permissions_policy_payment
Description: The permissions policy for the payment directive
Type: string
Default: "()"
permissions_policy_picture_in_picture
Description: The permissions policy for the picture-in-picture directive
Type: string
Default: "(self)"
permissions_policy_publickey_credentials_create
Description: The permissions policy for the publickey-credentials-create directive
Type: string
Default: "()"
permissions_policy_publickey_credentials_get
Description: The permissions policy for the publickey-credentials-get directive
Type: string
Default: "()"
permissions_policy_screen_wake_lock
Description: The permissions policy for the screen-wake-lock directive
Type: string
Default: "()"
permissions_policy_serial
Description: The permissions policy for the serial directive
Type: string
Default: "()"
permissions_policy_speaker_selection
Description: The permissions policy for the speaker-selection directive
Type: string
Default: "()"
permissions_policy_storage_access
Description: The permissions policy for the storage-access directive
Type: string
Default: "()"
permissions_policy_usb
Description: The permissions policy for the usb directive
Type: string
Default: "()"
permissions_policy_web_share
Description: The permissions policy for the web-share directive
Type: string
Default: "()"
permissions_policy_window_management
Description: The permissions policy for the window-management directive
Type: string
Default: "()"
permissions_policy_xr_spatial_tracking
Description: The permissions policy for the xr-spatial-tracking directive
Type: string
Default: "()"
rate_limiting_enabled
Description: Whether to enable rate limiting
Type: bool
Default: true
redirect_rules
Description: A list of redirect rules that the ingress will match against before sending requests to the upstreams
Type:
list(object({ source = string # A regex string for matching the entire request url (^https://domain.com(/.*)?$) target = string # The redirect target (can use numbered capture groups from the source - https://domain2.com/$1) permanent = optional(bool, false) # If true will issue a 301 redirect; otherwise, will use 302 }))Default: []
referrer_policy
Description: The value for Referrer-Policy header.
Type: string
Default: "no-referrer"
x_content_type_options_enabled
Description: Whether X-Content-Type-Options should be set to nosniff
Type: bool
Default: true
x_frame_options
Description: The value for the X-Frame-Options header.
Type: string
Default: "SAMEORIGIN"
x_xss_protection
Description: The value for the X-XSS-Protection header.
Type: string
Default: "1; mode=block"
Outputs
The following outputs are exported:
cdn_origin_configs
Description: Configuration to be passed to the kube_cdn module to configure the CDN
Providers
The following providers are needed by this module:
kubectl (2.1.6)
kubernetes (2.35.0)
pf (0.0.7)
random (3.8.1)